This security scheme is based on groups and roles. We will detail a step by step tutorial for a simple security management based on roles.
Define the roles you will need (our security policy will be based on roles). Trying to manage the security of the Accounting Module, we will define two simple roles:
- One will be able to add new elements (purchases, payments, etc...)
- One will only be able to consult elements
In your ERP5 Site, go to portal_categories/function/ then "Action > Add Category". Create two functions this way, with explicit Id, Title and Codification (like: accountant, Accountant, ACC)
Use the Person module to create new persons. In Assignment tab, specify a login and a password.
- For each person, add a new assignment and open it. Set the function of the assignment according to the permissions you want to allow for the given user.
A person without a login, a password and an open assignment will not be an user.
Fixing assignment lookup policy
In our example we only use the function to determine the rights of a user, the default is to base on site and group too (see getPortalAssignmentBaseCategoryList). To override this default, we need to create a Python (Script) named (to follow the naming conventions) ERP5Type_getSecurityCategoryMapping in portal_skins/custom (or any other folder in the acquisition path) with this content:
1 ## Script (Python) "ERP5Type_getSecurityCategoryMapping" 2 ##bind container=container 3 ##bind context=context 4 ##bind namespace= 5 ##bind script=script 6 ##bind subpath=traverse_subpath 7 ##parameters= 8 ##title= 9 ## 10 return ( 11 ('ERP5Type_getSecurityCategoryFromAssignment', ['function'] ), 12 )
Setting access for a given type
Now we want to restraint access for the Accounting Module, call accounting_module/Base_setDefaultSecurity to disable security acquisition for the module and then go to portal_types/Accounting Transaction Module/manage_editRolesForm (the Roles tab of the management interface of the Accounting Module Portal Type)
Adding Roles for the module
Now it's time to add some roles, here is an example:
Base Category Script: ERP5Type_getSecurityCategoryFromAssignment
It will set Assignor role to any person with an assignment specifying the accountant function. Once every role definition is added, press the "Update Role Settings" button in the bottom of the page.
Don't forget to set roles for every portal type you need.
Just log in with a newly created person using the associated login/password pair and you're done.
Note: If you had any data already in system, do not forget to reindex site after managing roles. Otherwise, user will have access to objects, but they won't list in listboxes.
Just a little bit further
Roles are assigned in a per-type basis and not in a per-object basis. It allows you to fix general rules for every kind of object and once it's set up, you don't have to change the security settings anymore.
This is the category the user must have to get the permission (like function/ceo)
This script tells ERP5 which base category will be used for setting the security. You must return every base category list you want to use in the Base Category setting. If you want to grant access basing on the site OR on the group and the function, you'll have something like that:
return ( ('ERP5Type_getSecurityCategoryFromAssignment', ['site'] ), ('ERP5Type_getSecurityCategoryFromAssignment', ['group','function'] ), )
- Base Category
- This is a list of base category, the list (space separated) should correspond to an entry returned by EP5Type_getSecurityCategoryMapping. When a user creates an object, ERP5Security takes the Owner's assignments and sets permissions to people with the same base category.
If you set a Base Category = group and Category = function/ceo then the permission will be attributed to the CEO of the Owner's assignment's group (The resulting group will be something like "WORLDCOMPANY_CEO" ). If you omit Category, only Owner's properties will be taken into account. If you omit Base Category the rule will only be based on the specified category (in general, a function).
You can specify a list of Base Categories and Category separated by spaces.